I've always thought that the GPLv3 effort was one of the FSF's biggest mistakes. It split the GPL community into GPLv2 and GPLv3, since the two aren't compatible. And the GPLv3 was simply far too scary for companies.
It's clear that the Apache license is more friendly toward corporate concerns. But companies were willing to deal with GPLv2, because there were sufficiently large projects (such as the Linux kernel) that added enough value that it overcame their fears over how the GPLv2 restricted how they could monetize their software engineering investments.
Unfortunately, the GPLv3 and even more so, the AGPLv3, was simply a step too far; put simply, in my opinion, the FSF overplayed their hand. Whether a more scaled back GPLv3, or simply sticking with GPLv2, with all of its admitted ambiguities and admitted legal short-comings, would have made enough of a difference at the end of the day is impossible to know. But I think copyleft as a viable open source licensing regime, and the GPL in particular, would have had a much better chance of success if GPLv3 never happened.
> the GPLv3 was simply far too scary for companies.
The FSF made a huge effort to make GPLv3 not scary. They tried to involve absolutely everyone, and tried to take everyone’s concern into account. The GPLv3 was made to be not scary.
The GPLv3 instead became “scary” not because anything scary in it, but because of a huge FUD campaign from large companies who didn’t want people to switch from GPLv2 to GPLv3, since the companies wanted to keep exploiting the loopholes in the old v2. For those old enough to remember, this was mostly the same old FUD campaign against the GPL (any GPL) versus a permissive license, many years before that. But, largely thanks to Linux, the GPL slowly won over that old batch of FUD. With the GPLv3, however, the opportunity was there to start it all up again. The GPLv3 is slowly winning against the FUD this time too, but it hasn’t prevailed yet, and Linux is not here to help this time.
If by "involve everyone" you mean "ignore the many many companies that said the current GPLv3 is a non-starter and will entirely end our involvement" then sure.
They decided to pick an ideological bone on purpose. That's fine, it's their right. But it was a deliberate decision knowing the consequences.
FSF picked the bone that needed to be picked. Well, they should have addressed tainted linux kernel firsts... but oh well.
It is ironic (and sad) how people here campaigning against GPLv3 are all happy and warm when they realize they can download the driver and kernel sources for their modem, phone, rPI or whatever device.
But then if someone want to even suggest the same thing for digital products, then, no, it's the end of the world.
> The FSF made a huge effort to make GPLv3 not scary.
If they were serious about that effort, the metric would have been a simple boolean: "Will the Linux kernel make the switch?" That's got to be your most visible, most well-funded GPLv2 project in existence.
If no (and it was a resounding no according to Linus' very public rant at a Debconf a few years back) then the license would almost by definition appear to be "scary" from the outset. The only exception would be some very rare edge case in Linux that makes it impossible to switch. In reality-- again, at least according to Linus-- it was a complete breakdown in trust between a holder of the old license and the organization writing the new one.
I don't know the intricate details, but it's clearly a bigger problem than "large companies" spreading FUD.
FWIW the situation is not quite as bad as Linus implies. He may personally dislike GPL3 but that doesn't appear to reflect the opinions of the entire project. A license analysis of the current mainline Linux source shows that roughly 30%-40% files in the kernel are already GPL3 compatible because they're either licensed as GPL-2.0-or-later or dual licensed as MIT or BSD. (I don't have exact statistics on this, it's a rough estimate from a non-exhaustive SPDX audit. You can reproduce by simply grepping through the source for license identifiers) This can happen because individual kernel developers can contribute using whatever license they like as long as it's compatible with GPL2 for a binary distribution. Additionally, Linus and several other kernel developers did decide to adopt the termination provisions from GPL3 not too long ago [0].
Based on this, I don't think it's accurate to say that the kernel developers are currently opposed on the whole to GPL3, or at least to some of the ideas in it anyway. If the stance of some developers was "we'll upgrade the license if you remove all the extra provisions except the termination ones" then it seems obvious why that is a no-go from the perspective of everyone else.
To be clear-- I didn't get the sense from Linus' rant that he's opposed to GPLv3 at all.
His beef seemed to be with a discussion with the FSF about compatibility of licenses. From what I gathered from the rant:
* Linus made clear to the FSF that he wanted a license for the Linux kernel that did not include the anti-tivoization clause. His desire as I understand it is that his project gives a licensee the code, they give back changes to the code, and that is as far as he wants the license to go. GPLv2 is a perfect fit for that. (Aside from whatever legal desiderata is required for such a license to be practical/sensible in the first place to achieve this, and I'm assuming that's what those two clauses you quoted are about.)
* Linus claims the FSF told him he could "invalidate the tivoization clause" as a solution to his stated goals. But, according to Linus, that would create a mess since someone could fork and write drivers under the full GPLv3 (which is compatible with the version that doesn't contain the tivoization clause), and as Linus states, "Where does that leave me?" He could end up in situations Linux is unable to accept the changes without asking the driver writer to re-license the thing under GPLv3-minus-tivoization for upstream inclusion. (Furthermore, the more popular GPLv3 becomes, the worse this problem would get!) But his whole purpose in GPLv2 was to make a simple "code-goes-out-and-changes-come-back-in" deal with other developers, end of story. So that clearly doesn't fit his use case.
* His central claim isn't that GPLv3 is bad, or even that GPLv3 doesn't fit his needs. Rather, he claims that FSF misrepresented the license and its compatibility with the GPLv2 in their discussion with him behind closed doors.
Of course that's just his allegation, and I haven't seen an email chain to confirm anything. But that allegation alone is enough to call into question the idea that the history of GPLv3 adoption is only scary due to FUD from companies.
It was never going to be possible for Linux to switch, so it's honestly a bit of a moot point. By 2007, the overwhelming majority of copyrights were not held by Linus and lots of the code was already licensed as GPLv2-only (not to mention that tracking down copyright holders pre-Git would've been basically impossible -- and that's before you start worrying about bankrupt companies or people who've passed away). Switching licenses is incredibly hard, and in my view it was a mistake to make GPL upgrades opt-in (they should've been opt-out as is the case with the Mozilla Public License).
I also broadly disagree with the argument that if the Linux community (or in this case, Linus) is against something then it is not a reasonable thing to put in the GPL. A reminder that the official policy of the Linux Foundation and lead maintainers is to avoid GPL enforcement at all costs[+] -- meaning that by this reasoning, the GPLv2 having any enforcement provisions at all is "too scary".
[+] GregKH has spoken on this quite a few times. I don't disagree with their view that enforcement reduces the chance of recurring contributions (which is what they actually care about), but it does mean that Linux's usage of the GPLv2 is more akin to MIT but with some extra public shaming if a company doesn't provide sources.
The LLVM relicense shows that it is actually possible for a large project with distributed ownership to switch licenses given there is enough motivation to do so. From what I understand as a non-lawyer, situations with this old code where the copyright owners can't be tracked down is undesirable for a number of reasons and they may need to rectify that eventually anyway. (I believe it can be seen as a liability)
> It was never going to be possible for Linux to switch, so it's honestly a bit of a moot point.
It wasn't moot because:
* the FSF apparently attempted to convince Linux devs that the GPLv3 could be compatible with Linus' intended use of GPLv2
* Linus has publicly claimed they were mendacious in his communication with them
That's not a great starting point for adoption of a new license. And while I'm sure there was also plenty of self-serving FUD coming from companies about the GPLv3, this ain't that.
The fact that the Linux kernel removed the "or later version" from the licence and doesn't do copyright assignment make it impossible to switch to anything other than GPLv2.
You'd need to get every single person who'd contributed to agree. Even if they're dead.
> Each release, large parts of the kernel get rewritten anyway.
That's not really true, and if code is being modified rather than completely replaced it is probably a derivative work of the original code (meaning the license is still GPLv2). The only practical way to make sure the license change is legitimate is to get permission from every single copyright holder.
> Lots of kernel code is copyrighted by companies now.
And some of those companies may have gone bankrupt or been dissolved which puts you in a similar situation to a contributor who has died, except it may be even harder to figure out who exactly owns the copyrights.
> If they are dead, their copyrights are held by someone else now who can be asked.
Even if you figure out who owns the copyrights, do you really think you'll be able to convince every single bereaved spouse, sibling, or child to "relicense your dearly departed [father/mother/wife/husband/brother/sister]'s contributions to Linux to GPLv3"? I envy your optimism.
That's a good point. But then it immediately brings up the question: if that's the case, why would the FSF have been in communication with the Linux kernel peeps with regard to license compatibility and potential upgrade? I can understand getting input from them on the upcoming GPLv3, but not an effort trying to convince them to adopt it.
Digression-- I'm sure the FSF doesn't appreciate it, but there is something very disarming about Linus ending his rant calling the entire FSF "bigoted people," and then immediately following it with, "I may have overstated that a bit."
It's a very unprofessional and risky way to joke around, especially after making the accusations he made minutes before. But the fact that you can hear how the room laughs and carries on after he essentially calls himself a "drama queen" tells you that pretty much everyone understood the upshot (whether or not they appreciated the joke).
That makes me think that of how rotten online communication is. In person, a maintainer of one of the biggest open source projects can call an entire organization one of the worst insults, and probably none of the members of that organization in attendance even considered interrupting him. Yet HN needs a "cool down" period to keep participants arguing about semicolons from throwing their device at the wall.
The GPL has no element saying it can't be used to start any kind of business, and I don't think any of its defenders has ever said the GPL's goal is to suppress that freedom. It seems the FUD is still going strong.
The same people who made the GPL use the term "ASP loophole" and made the AGPL.
Not everyone agrees that the freedom to make a SaaS business with a private GPL fork is a loophole or bug. It seems (from their creation of the AGPL and use of terms like "ASP loophole") that the GPL people do.
AGPL isn't pro- or anti-SaaS, though. It just says that you have to provide sources to anyone you grant access to the software over a network. So if you host an AGPL database for someone else, they need access to the source code for that database somehow. But it doesn't prohibit you from hosting the database at all.
It's the perfect license for MongoDB and all these other companies trying to keep Amazon from taking their software and proprietarizing it... but instead they make weirdly restrictive one-off licenses nobody are going to contribute to.
AGPL restricts developer freedom simply because they launched a webserver on the same machine. There is a legitimate logical argument that the AGPL is not free software.
Copt-left licenses are about preserving the users’ freedom. If we want to maximize developers’ freedom then the freest license is proprietary code where you own all the rights and then you can do anything you want and nobody can do anything about it.
No, the license that maximizes developer freedom is a permissive license, like Apache, MIT, BSD 3-clause etc. That lets you mix your code with either a proprietary or a copylefted project. Since a lot of Free Software is written by people who just want to solve a problem for themselves, they often just pick the permissive license.
Proprietary code is actually the most restrictive to both users and developers. That's because you can't legally mix proprietary code without a license at every step of the way. Any significantly large proprietary project becomes a mass of third-party dependencies with all sorts of license restrictions that your company is probably ignoring and breaking. Even if you follow all the tenants of those licenses, you don't own your code at the end. A Node-style mess of dependencies becomes ten times worse when each dependency has license restrictions attached to it.
In other forms of media, you generally don't see people try to license 30-50 different properties all at once for the same work, because that means nobody owns anything and the work will be really hard to market internationally. Software almost demands this sort of dependency soup, however, which creates all sorts of unique preservation problems. Whenever a large software project (or game engine) is discontinued, a lot of people wonder why the company who wrote it doesn't just release the code as Free for third parties to maintain. The answer is that in most cases, it's not their code to release.
> the license that maximizes developer freedom is a permissive license, like Apache, MIT, BSD 3-clause etc.
Depends on what open source philosophy you support - do you believe users should have the right to look at your source code, modify it, and share the modifications with others? In that case only an open source license like the GPL, that protects the USERS right meets this requirement.
Every developer is also a user of their product. Thus, protecting the rights of the USER, automatically protects the rights of the developer too, to further study, develop and customise their code further. On the other hand, permissive license can restrict developers, as others can close-source your open-source work.
If all you want is recognition and credit for your work, then permissive open source licenses are definitely better.
So you're using the world "developer" not as the one creating the project, but as the one retrieving it and modifying it. That's actually what licenses call "users", and copyleft licenses improve your liberties by maximizing the amount of projects that are Free.
What copyleft licenses prohibit is distributing software with less freedom than what you had when you received it, whether you modified it or not. But that's not a developer's issue, that's an issue for someone that hopes to gain something from restricting freedom.
Not everyone has trouble with AGPLv3 being the core of their SaaS business.
Just because your core business software is AGPLv3 doesn't mean any other business will be able to build a coherent business model atop it, look at Kazoo by 2600Hz or Iris by Lowes.
Knowing how to properly configure and maintain said code in production, creating integrations with third party vendors (that your competition likely can't interact with on the same terms) and marketing to build mindshare among potential customers is a common way to offer your core software as AGPLv3 yet have no competitors or few competitors use your core software.
> Not everyone agrees that the freedom to start a SaaS business with GPL software is a "loophole".
Neither GPLv3 nor GPLv2 prohibit this.
You're thinking of the AGPL, the first version of which was based on the GPLv2 and released in 2002, years before the FSF announced that they were even beginning work on the GPLv3.
Thats wrong too. If you use an unmodified version of AGPL software, or just host any modifications in a public repository like github, then you aren't in violation of AGPL, even if the rest of your stack is proprietary and your service paid. How does it prevent SaaS?
AGPL, like any version of GPL (and most if not all open source licenses) does not prohibit anyone from starting a business. It's weird this FUD is still spreading after all this time, after all the debates the community has had already.
AGPL does have restrictions, and it's anyone's preference as to whether they're good or bad, but there has never been an intent to forbid businesses. If anything it's the recent RedisLabs' modules license and the SSPL-style licences that do it: they explicitely contains the wording to indicate that the product can't be used to create a similar product and offer it as a service. Heck, the SSPL says (https://www.mongodb.com/licensing/server-side-public-license):
"If you make the functionality of the Program or a modified version available to third parties as a service, you must make the Service Source Code available via network download to everyone at no charge, under the terms of this License"
The AGPL tells you that if a user asks for the source code, you must give it to them and them only. The SSPL says that the source code must be publicly available to all, at no cost. It was created specifically to prevent competitors to run MongoDB as a Service. Surely if they had to change it's because the previous license did authorize competitors to do it. Wanna take a guess what the previous license was ?
OwnCloud, NextCloud, Linphone (their pricelist starts in the 5 figures for support!), etc all run successful businesses off AGPLv3 code. Amazon is notorious for turning AGPLv3 projects and products into SaaS services!
AGPLv3 doesn't make starting a business prohibitive, arguably forks like NextCloud would not exist if AGPLv3 did not compel codebase users to publish the additional code they wrote to extend OwnCloud
I wonder when this idea really started propagating, was it around when AWS came along? Because by a technical definition I don’t understand why this “loophole” wouldn’t also apply to a hypothetical web host back in the late 90s.
You might be right as a practical matter, but I do think the FSF's tivoization concerns are well-founded, especially in light of what we've seen happen in the mobile industry. If the user isn't allowed to actually compile and run their own code, what good is it for that code to be open source?
It always seemed to me that problem with GPLv2 wasn't any shortcoming in the license, as such, but in certain legal opinions that labeled things "compliant" which were clearly against the spirit. TiVo-ization is a violation because GPL software and proprietary software are combined to form a single piece of software, distributed as a single binary firmware image; the fact that there's some notional internal interface between the GPL and non-GPL code within, if you manage to crack the firmware that is, should be legally irrelevant. But engineers are wont to be distracted by concerns such as "kernel space" and "user space", and "dynamically linked" vs "compiled in". Absolutely none of this matters, if I'm getting a big-ass opaque blob with a mixture of GPL and proprietary code in it. The same goes for the average Android handset, for that matter.
I think the battle was lost by not pushing the advantage hard enough.
GPLv2 and GPLv3 both have an exception for proprietary "system libraries", which is designed to allow you to ship GPLed software that runs on proprietary systems. (You still have to meet the terms of the GPL in other regards, but you can ignore the system libraries.)
GPLv2 was stricter in that regard, in that the entity shipping the system libraries couldn't be the one shipping the GPLed software; GPLv3 drops that and allows anyone to ship GPLv3ed software for a proprietary platform, as long as you still meet the other requirements of the GPLv3.
There's nothing stopping you. What would be stopping you is if Windows included DRM that stopped you running all GPL programs apart from Microsoft Official Builds™.
Well, I wasn't clear that it would still be allowed under the interpretation the GP was advocating for. Perhaps they need to flesh out their position.
I'm largely thinking about the current situation with ZFS on Linux. IMO, this benefits no one, and so I'd generally like to see less draconian interpretations of what code is allowed to link together—but more licenses which protect other user freedoms, like the ability to run your own code.
That would be fine. The software is distributed to you separately, and so any "derived work" resulting from installing your GPL software on Windows is owned by you anyway.
What would arguably not be fine, under my interpretation, would be if Windows would not function without a GPL component, that's built-in to the OS and distributed on the install disks and updated through Windows Update. Even if it's a self-contained binary, and you can navigate to it in the filesystem.
The standard is - would a reasonable person view the combination of GPL and non-GPL code as a single piece of software?
> would a reasonable person view the combination of GPL and non-GPL code as a single piece of software?
I think reasonable people would disagree with each other.
macOS used to come with iTunes preinstalled, but you could remove it by turning off SIP and running `sudo rm -rf /Applications/iTunes.app` in the Terminal. I always did so, because iTunes sucks, and the rest of the OS always continued to work fine.
Is iTunes a part of macOS, or is iTunes a separate piece of software? Would it matter if you could remove iTunes through Finder, or without turning off SIP? Would it matter if iTunes wasn't included with macOS, but was automatically downloaded and installed a day later? Would it matter if iTunes was created by a third party, or if macOS couldn't output any audio without it?
What about Google Play Services? DirectX? ZFS? I could certainly make a case for how I think each of these should be classified, but I don't think it's at all obvious.
Yes, the boundaries are fuzzy; that's typical in law. The "reasonable person" language is not my invention, and it's assumed that somewhere along the line someone is going to have to fight in court over the particulars of ambiguous cases. The ambiguity is a strength - it forces compliance with the spirit of the wording, instead of risking litigation by trying to find a technical loophole.
Software engineers consistently underestimate the degree to which law is not like coding.
The more interesting case is when the software automatically downloads said binary.
The even more interesting case is when there is more than one option for that binary, all with the same interface (but possibly different features), and only some of them are GPL. This was famously the hypothetical presented by the author of CLisp (which had a dynamic dependency on GNU Readline) to Stallman.
If you believe that "software will eat the world", then hardware doesn't matter. Sure, the customers who purchase a locked-down device might not be able to update their device. But the technology will still be out there, so that it can be built upon to improve the next generation of hardware --- perhaps hardware created by a competitor, or using open hardware. This is especially true for consumer-grade devices, which generally become obsolete and replaced within 2-3 years anyway.
And if this is something that a sufficiently large segment of the users actually care about, then they will vote with their feet, and purchase hardware where they can update their own code. Maybe this will even result in a software ecosystem where the company selling an open product will be able to take those improvements from the dedicated power users to improve future releases of their product. But this is something which is best enforced by market forces --- if it's really an important right that users find important, they will demand it.
This is essentially the debate when the FSF tried to convince the Linux kernel community to relicense to the Linux kernel to the GPLv3. We declined, essentially because we saw the downsides of the anti-Tivo-ization clauses had towards people choosing to use Linux versus some other OS. And we believed that growing the contributor base was in the long term, far more important than the more short-term anti-Tivoization concerns of the FSF. This is why the Linux kernel is GPLv2 and not GPLv3. We didn't give in to the siren call of the FSF position.
The way free software is supposed to work is that you buy a device, you want to improve it, so you do. And then you share your improvements with everybody else.
If you buy a TiVo and then can't modify it, you don't. So there is nothing to share with everybody else. The entire system is destroyed. It's an existential threat.
> And if this is something that a sufficiently large segment of the users actually care about, then they will vote with their feet, and purchase hardware where they can update their own code.
But that's the problem. Most of the users aren't (currently) developers, but if the dominant hardware isn't open to developers then there are fewer developers, and the users then can't receive their improvements.
It's not obvious that there are always enough developers to justify a production run of open hardware separate from the hardware everybody else uses, even though everyone benefits from its existence. So we need the dominant hardware to be open.
> Maybe this will even result in a software ecosystem where the company selling an open product will be able to take those improvements from the dedicated power users to improve future releases of their product.
Except that if this becomes popular and the software is open source but can be locked down, proprietary hardware vendors will ship the improvements on locked down hardware. Then anyone who doesn't make modifications themselves, or doesn't anticipate making them even though they might have, buys the locked down hardware and the open hardware has no competitive advantage in the market among non-developers. Even though its existence is a prerequisite to continued community software improvements that everybody wants.
This argument doesn't work when PCs are essentially the only widely available hardware platform that ended up with an open standard for modifying the software running on the device. Even here, the fact that we ended up with this model was an accident.
Every device or platform since the IBM PC, including phones, tablets, non-x86 PCs, thermostats, wristwatches, routers, appliances, cars, etc. -- all of them have switched to the device-only-accepts-firmware-signed-by-the-manufacturer model where you can't put your own software on the vast majority of devices without a significant amount of reverse engineering and hardware/firmware exploit hunting.
Software can't eat the world if nobody wants to make hardware that can run arbitrary software. Then it's only "this one particular company's software can eat your thermostat for the two years that they feel like providing device support, then it's trash."
I think that hardware (or at least boot architecture) does matter. For all of UEFI's flaws, the secure boot model is actually pretty good. A device can come with a preloaded manufacturer key, and can be configured by default to only run manufacturer signed firmware. But once a user buys the device, they have the option of adding an additional key, either from another third party (i.e. like the key that RedHat and Ubuntu use to sign their kernels), or keys that you or your organization generate and manage yourselves. You can also remove the preloaded key, because as the owner of the device, you should be able to do whatever you want with it. If the manufacturer needs their application to only work if the secure boot settings haven't been altered (i.e. in a car, with safety/liability concerns), they can do that.
I would be a lot happier if we had a model like this for literally any other non-PC platform. Right now everybody rolls their own crappy implementation of signature checking with hard-coded manufacturer keys. It's really pretty awful.
That simply is not true. Chromebooks, many Android phones (all of the ones sold by Google) have a way of turning off the requirement for signed boot. The device is less secure if you disable signed boot; an evil maid who gains access to your device, or the FBI after they seize your device, will have a much easier time getting access to your data --- but if you want to build your own version of Chromium, or put your own Linux distro on a chromebook, or if you want to build your own version of Android from source, and put it on a Nexus or Pixel phone, you can do this easily.
(Well, the hard part is learning how to download all of the source code and learning how to use the Android build system, and then downloading a new system image onto the Android device; there is no technical restriction which prevents you from doing this.)
I developed the ext4 encryption specifically for Chrome and Android, and I was building my own Android images and putting it on putting it on a Nexus 9 device. This didn't require any kind of special privilege or encryption keys only available to Google employees. Neither did this:
It's all open source, and you can certainly rebuild your kernel, make other changes to the firmware, and install it on your phone. No reverse engineering or hardware/firmware exploits necessary!
You're right. For all of Google's other flaws, their hardware has been surprisingly good about this. The Chromebook write-protect screw is a good example of a thoughtful feature here.
However, Google's approach is so uncommon, that it's basically the exception that proves the rule. The vast majority of device manufacturers don't do anything like this, and if you were to pick a phone at random, you would probably expect to encounter some sort of issue flashing it. That's why we're still stuck with databases of "if you want to run a custom Android ROM on your phone / OpenWRT on your router / etc., pick from one of these known-good devices."
There are a lot of other devices (that aren't x86 PCs) which let you boot OSs wholly from third parties. A couple that come to mind are Canon Cameras[1], and the Remarkable Tablet[2]. A lot of routers, too, don't put up any barriers the installation of alternate firmware (some do), and even Apple Silicon Macs can be made to boot unsigned OSs (and are getting a Linux port). Not to mention the Raspberry Pi and its ilk.
I say this almost preemptively, because I really don't think it should obscure your core point: open devices are increasingly the exception, not the norm.
Ted, you have to remember why Chromebooks have a way of turning off signed boot. It's actually to comply with GPLv3 requirements for the GPLv3 code used in ChromeOS.
Google takes licensing seriously (as both know you and I know :-).
No idea why we do the same for Android phones though. No GPLv3 in there :-).
Google could have stripped GPLv3 code out of ChromeOS like they did with Android. The reason why they provide owner overrides is entirely a matter of corporate culture.
Yes, this is true. Google corporate culture is one of the big reasons I work here. There are few places that take Open Source as seriously as Google does.
Software might be eating the world, but IP industry and legislation are eating the hardware. There soon may be no user-controlled hardware, especially with the advent of the internet where "vulnerabilities" that let users run their own code can be patched, and Apple-like certificate checking can be deployed out.
GPLv3 might be seen as an effort to counter-act this situation.
>perhaps hardware created by a competitor, or using open hardware
I think as the Purism folks are demonstrating with the Librem phone, we live in a world where the barrier to entry to compete in hardware markets is enormous. The "hardware doesn't matter" argument only holds where the hardware to run software is sufficiently commoditized or where it's easy to develop open-source alternatives.
For phones and select other segments of the hardware sector this simply isn't the case: consider the yawning chasm that separates the Librem phone from the iPhone.
You have the market forces backwards. People don't avoid the lockouts, the lockouts shape people into a particular behavior. For example, look at Apple's ridiculous levels of anti-repair nonsense - it is designed specifically to make it harder for non-Apple technicians to properly repair a device. These lockouts have legal force thanks to... rather prevalent misreadings of DMCA 1201 that make large companies unwilling to design circumvention tools for these sorts of things.
Granted, all of these are legal problems that need to be remedied with judicious case law and acts of Congress. However, so is the concept of software copyrightability itself. (CONTU fucked up, software should have been sui generis.) The whole point of the GPL was to legally construct something like a public domain dedication that subsequent derivative works couldn't reverse. The idea was that software would always serve the user (or be modifiable to do so). If you look at the GPL in that light, TiVoization is a clear circumvention of licensing intent.
Given that the FSF came first, I'm not entirely sure I'm OK with calling anti-TiVo a "short-term" concern. It's more like protecting the users of the software and ensuring developers are able to collaborate under equitable terms are both long-term concerns that are occasionally in conflict with one another.
(FWIW, most of those lockouts wouldn't actually qualify for 1201 protection in isolation. However, they often are tied to systems that would. Nobody builds a separate repair lockout and DRM system - they build one system that prohibits both use cases. Even when the law agrees that you're allowed to break the part of the lock that keeps you from swapping parts on a tractor, it doesn't let you distribute the tools to do so if that lockout also enforces a copyright owner's licensing intent. So, for example, it's legal to jailbreak a phone to make Touch ID work, but that jailbreaking tool you used is still illegal because someone might use it to pirate iOS games.)
Intellectual property is a state enforced monopoly that interferes with market forces. In a purely market driven world “locked down” phones would be harder to create/enforce.
If you're eliminating intellectual property you're eliminating the GPL anyway.
You also probably create an even greater incentive for manufacturers to strictly lock down their devices, doubling down on technical solutions in the absence of legal ones.
GPLv3 effort was made in order to address two main problem. One was that the market dominated manufacturer who held close to 90% of the market was going around and claiming royalties for claimed software patent in free software, and if I remember right against actually members who participated in the drafting of GPLv3. People saw how a dominated party would distribute GPL software and then go and try shake down same people for patent money, and people were really scared at the time. Quality patents like "1-click" were being fought in courts and companies like Microsoft spent billions, with a capital B, of dollars on patent deals. People did not assume Microsoft just did that for laughs and so the drafting process had a distinct goal of addressing this problem. After gplv3 release Microsoft did halt their claims on Linux users, which could naturally be just a major coincidence.
The second concern was that millions of devices with Linux in them would be sold for which users could not modify, share or distribute changes for. This happened beyond what anyone could have imagined. FSF fought and lost that fight, but I am not sure I would have called it a mistake. Mobile phones are full with anti-patterns, have zero security, zero privacy, zero control for the user. Their operational lifespan is a small portion of that open platforms and when the developer cuts updates then the device is unfixable. At any time the device can stop working and ransom the user for a subscription in order to regain operation. It is hard to imagine how those devices could get worse in term of user agency, except if the manufacturer join hands with an oppressive regime.
We are about to open source our projects too [0], and have been faced with the question of xGPLv3 vs other permissive licenses. Not a big fan of source-available licenses because as Bryan Cantrill argues, one is better off with closed-source in that case [1].
From all that I have read, the Mozilla Public License v2 [2] (file-level copyleft) seems like a good intermediate between GNU family of licenses (strong copyleft) and Apache / MIT / 3-Clause BSD (copyright).
The problem with using a permissive license such as Apache is, anyone can fork the project exclusively under xGPLv3. If that fork becomes more popular, there's no way for the Apache-licensed upstream to merge any patches from the xGPLv3d fork back in.
With MPLv2, all "files" in the immediate xGPLv3 fork are automatically dual-licensed under both, xGPLv3 and MPLv2. This means MPLv2-licensed upstream is free to merge in changes without worries from immediate forks. MPLv2 additionally bakes in a choice for the original developer (viz. "initial Contributor") to make xGPL forks illegal (using the incompatibility clause), but it isn't the default.
The Eclipse Public License v2 [3], which is very similar to MPLv2 in its copyleft aspects, takes this a step further and makes xGPL forks illegal by default. The original developer; however, can explicitly choose to permit xGPLv3 forks.
> The problem with using a permissive license such as Apache is, anyone can fork the project exclusively under xGPLv3.
Why is this a problem? If a GPL fork becomes more popular, you can switch your own license to GPL too, and then take the changes back. The real risk of using a pushover license is that someone makes a proprietary fork, in which case you are locked out of their changes forever, which is the exact thing the GPL disallows.
What if you went with GPLv2 only as your license? It isn't AGPL-compatible, so nobody could release an AGPL fork, and then companies wouldn't have to worry about it unless they distributed your code to other people, rather than just using it themselves, with the former being way less common than the latter. And most companies are okay with GPLv2 since they use Linux.
The irony of someone using Apache license complaining that other people's usage of their code doesn't let them merge changes back is, of course, palpable.
That's exactly what the GPL is for!
Someone using Apache complaining about GPL relicenses is saying they're fine with closed-source products making money off their private forks of their code without being forced to contribute it back, but open-source projects doing the same thing is where they draw the line.
I agree with your sentiment overall (if you don't want obstacles to merging back downstream code, maybe consider requiring that it keep compatible licensing, i.e. use the GPL, use copyleft).
But this sort of contribute-back-upstream is not what the GPL was written for and not how it behaves. The GPL is specifically a pass-it-forward downstream focused license. It is about requiring others to pass on the freedoms. The idea that it has any send-back-upstream requirements is a common misunderstanding that shouldn't be encouraged.
Yes, but by the point your downstream project has changes that you want to merge back, it is the upstream for purposes of GPL sentiment. These roles are transactional, not historic.
Otherwise, any company could break the GPL wide open by just morally considering themselves to be the upstream.
Not strictly. Downstream GPL users do not need to publish their changes. Businesses and individuals can get GPL software, change it for their own internal use and keep the changes private.
GPL's upstream features are incidental and often practical but are not the point of the GPL and more importantly do not describe how it works legally.
I have released some minor personal projects under the MPL2, but in practice AFAICS MPL2 isn't much stronger than the permissive licenses (Apache/MIT/BSD/etc.). An evil corporation that wants to leech without giving anything back can practically as easily do that with an MPL2 licensed project as with a permissive licensed project.
My personal reasons for MPL2 are basically:
- Modern goodies like explicit patent protections without being GPLv2 incompatible like Apache.
- Showing the sharing "spirit" I'd like to see, even though it's in practice impossible to enforce against a "hostile" user (see above). That is, feel free to use it in your proprietary product, but if you make improvements to my code please share those with me.
That being said, I'm not actually sure that MPL2 is worth it, considering it's very much an uncommon license compared to the big permissive ones.
I'm not sure I understand your arguments about MPL2 being better protected against forks with stronger copyleft licenses. The forker can still make their own additions subject to the xGPLv3, as long as they're in separate source files, effectively making the combined work xGPLv3.
> I'm not sure I understand your arguments about MPL2 being better protected against forks with stronger copyleft licenses.
IANAL. MPLv2 has two modes of protection:
1. By default, the immediate fork of a MPLv2 project under xGPLv3 is auto dual-licensed (for existing files, at least). Usually, the project stays dual-licensed (even for the larger work) unless the contributors make an explicit decision to remove the top-level MPLv2 license file.
2. Initial Contributor (original developer) can choose to make the "Covered Software" incompatibile with secondary licenses (like xGPLv3) for posterity.
> An evil corporation that wants to leech without giving anything back can practically as easily do that with an MPL2 licensed project as with a permissive licensed project.
Evil corp at least (if nothing) is required to open source their changes to MPLv2 files (part of the original work), if any. Whereas Apache / MIT / BSD don't require any form of reciprocation except an attribution.
> That being said, I'm not actually sure that MPL2 is worth it, considering it's very much an uncommon license compared to the big permissive ones.
From what I know, MPLv2 is well understood and it isn't ambiguous as WTFPL or confusing as AGPL. Hashicorp and Mozilla are two of the biggest corporate users of the license I know.
Of course there can be no argument that xGPLv3 protects the interests of the consumers better, though, MPLv2 (and EPLv2), I feel is a good compromise.
> 1. By default, the immediate fork of a MPLv2 project under xGPLv3 is auto dual-licensed (for existing files, at least). Usually, the project stays dual-licensed (even for the larger work) unless the contributors make an explicit decision to remove the top-level MPLv2 license file.
No, you can't change the license of existing code that you don't hold copyright of. Even permissive licenses like MIT don't allow that. Where you can add your own license terms is for additional code you wrote that you hold the copyright for. Permissive vs. weak vs. strong copyleft then tell you under which terms you can combine your own code and the other code that you forked.
> 2. Initial Contributor (original developer) can choose to make the "Covered Software" incompatibile with secondary licenses (like xGPLv3) for posterity.
The "secondary license" thing in MPL2 is a (clever) hack to make it compatible with *GPL. That just means that without the secondary license you can't make a combined work (called "larger work" in the MPL2) that contains both MPL2 code and your own GPL code. It doesn't allow you to relicense MPL2 code to GPL.
> Evil corp at least (if nothing) is required to open source their changes to MPLv2 files (part of the original work), if any. Whereas Apache / MIT / BSD don't require any form of reciprocation except an attribution.
Yes, but nothing prevents Evil Corp from just doing minimal modifications to the MPL2 code to add entry points or call out to the proprietary code in other files.
That is sort of the argument against weak copyleft licenses in general; they are easy to circumvent. So if you want copyleft protection, you should go for a strong copyleft license, or then you just accept that Evil Corp may leech and you might as well use a simple permissive license.
> From what I know, MPLv2 is well understood and it isn't ambiguous as WTFPL or confusing as AGPL. Hashicorp and Mozilla are two of the biggest corporate users of the license I know.
> Of course there can be no argument that xGPLv3 protects the interests of the consumers better, though, MPLv2 (and EPLv2), I feel is a good compromise.
Yeah, I think in many ways GPLv3 is pretty good, but considering how soundly it has been rejected by corporations I'm not sure it's worth it..
> No, you can't change the license of existing code that you don't hold copyright of...
It's not that simple, see: Modifying and Distributing Files Licensed Under Both the MPL and (L)GPL.
Once an MPL-licensed file has been distributed as part of a larger (L)GPL-licensed work, third parties who receive the file may use and redistribute the file under the terms of either license. As a result, new modifications can be provided to recipients under the terms of both licenses, or solely under the terms of the (L)GPL.
> So if you want copyleft protection, you should go for a strong copyleft license...
True, but MPLv2 with incompatibility clause (or EPLv2) prevents stronger copyleft, which has some nice properties whilst also retaining a weak "file-level" copyleft (which enterprises are okay with).
"The problem with using a permissive license such as Apache is, anyone can fork the project exclusively under xGPLv3. If that fork becomes more popular, there's no way for the Apache-licensed upstream to merge any patches from the xGPLv3d fork back in."
If the GPL fork becomes more popular then one of the main arguments for not having a GPL license falls apart.
We thought about the Eclipse Public License in advance of the shift. There is a very persuasive member of our community who argued in its favor. In the end, it is ease of recognition that swayed us to Apache. If you have to forward for approval or read the details of the license before getting started, that is often a bridge too far.
> The problem with using a permissive license such as Apache is, anyone can fork the project exclusively under xGPLv3. If that fork becomes more popular, there's no way for the Apache-licensed upstream to merge any patches from the xGPLv3d fork back in.
I'm curious if anyone knows of any cases where this actually happened.
LibreOffice vs OpenOffice. LibreOffice is, IIRC, under the MPL2, and can take improvements from the Apache-licensed OpenOffice (and has done so in the past, though Apache OpenOffice has been moribound for its entire existence so there's not much to take from there anymore), but Apache OpenOffice can't take improvements from LibreOffice.
> And the GPLv3 was simply far too scary for companies.
"scary" from a different perspective is "functional". Many companies also push back against even GPLv2 in anything other than the Linux kernel, and as a result, more people use permissive licenses, even when those permissive licenses run counter to their goals. I've directly seen corporate decision-makers ask "how can we prevent our competitors from using this to compete with us" and yet still choose permissive licensing rather than copyleft, for no obvious or stated reason. That's leaving aside many individual projects using permissive licensing; I wonder how many people doing so specifically want permissive licensing for a concrete reason, and how many just aren't sure and so they pick what seems more prevalent/"acceptable"?
In many contexts, GPL of any flavor is "that thing that the Linux kernel and a few bits of low-level Linux userspace use, and everything else avoids". GPLv3 didn't cause that; widespread corporate pushback against copyleft caused that.
Reading the text of GPLv3 closely, I was disappointed at how little its additional provisions actually protect. It read like it guarded against Tivoisation and not much else, but the world's moved on since then.
GPLv3 either went too far, or not far enough (in terms of cost incurred: gaining enough ground that the community split is worthwhile, volume of license text, ...).
If I had a time machine, I'd suggest the FSF to try frog-boiling people into software freedom instead.
I do wonder what would have happened in the counterfactual world in which the FSF put out a new version of the GPL annually, with minor changes in each version, rather than a big revision one time. A slow ratchet, together with the guarantee of forward-compatibility.
I also wonder whether many people would have refused to use the GPL if it had had the "or any later version" built in and unremovable, rather than making it part of the license grant.
I think you are absolutely right. Basically don't take my opinion for it and just look at how the corporate world has responded to licenses:
1) GPLv2: a legacy license still dominating e.g. Linux and other projects that simply never switched and leaves enough legal loop holes to not block commercial usage. Huge commercial success and arguably what bootstrapped the OSS world.
2) Apache 2.0. Huge commercial success and together with the MIT & BSD style licenses the no brainer go to license for anyone wanting to release some software under reasonable terms. These licenses dominate the vast majority of Github projects.
3) GPLv3 & AGPL v3. Only used by 1) people with outlier opinions on freedom related topics (trying to be diplomatic here). 2) companies looking to dual license their software under a highly restrictive commercial license or a highly restrictive OSS licenses. Technically free but limiting in practice in what you are actually allowed to do to the point where you probably need to worry about signing a proper deal for a proprietary license. Which is a different way of saying that it is not free at all You are not free to do what you want and you are certainly not free to build a business on top of the software; that requires a non free closed source license. The OSS limitations with respect to any form of commercial applications are kind of the whole point for the companies choosing this license: it practically leaves their users no other choice than their commercial license. Whatever your opinion on this, these licenses are considered problematic by most corporate legal departments and simply not widely used by companies with such departments for this reason.
> you are certainly not free to build a business on top of the software
A common mistake in interpreting the GPL in my experience is that it is designed to protect the freedoms of the producer. It is explicitly designed to promote certain freedoms for the user. The producers set and the users set are likely to intersect, which is likely where some of the confusion comes from, but it is not common that they are identical sets.
If the corporate world is part of your target audience, then the GPL family, particularly AGPL and GPLv3 (though not so much so LGPL) are unlikely to be good choices. This is true whether you are a solo home developer, or a significant commercial entity, or something in between, yourself.
Just like commercial licences, and other F/OSS licences, the GPL takes away nothing. It grants rights subject to the grantee agreeing to its other conditions.
> under reasonable terms
That is a very subjective thing.
If commercial entities won't touch something of mine because I've chosen to license it under GPLv3/AGPL/else, that is only a problem for me if I care whether commercial entities use it. They are free to try negotiate a different licence. Of course I'm only able to do that for my contributions unless others the project has taken contributions from have legally stated on the record something to the contrary, but that is no different than for a commercial project which has multiple otherwise independent contributors.
I suspect neither of us are lawyers. On the other hand I've definitely dealt with corporate lawyers pretty much interpreting it exactly as I outlined. And by that I mean they issued a blanket ban on any single line of code licensed under GPLv3. For GPLv2 the verdict was use with caution and MIT/Apache 2.0/Eclipse/BSD/etc. were generally fine provided the code was licensed properly and clearly (some projects fail this test). This was Nokia around the time they were in the courts with Apple, Qualcomm, Microsoft, etc. regularly on all sorts of IP issues and at the same time they were putting together a Linux based phone platform. In other words, they weren't amateurs; like us.
As far as I know most fortune 500 companies would probably have similar reservations about these licenses (correct me if I'm wrong). Companies like TerminusDB switching license because "sufficient lawyers have advised teams to be wary of GPL" probably means that they were loosing lucrative deals with big customers because of the license. Hence the switch. I think dual licensing as a viable business strategy is pretty much dead at this point. An overly restrictive OSS license is a hard sell for a SAAS business in a competitive market with alternative solutions.
Legal interpretations are not an exact science of course but there's enough language in these licenses to cause raised eyebrows for lawyers and probably not enough court cases to argue one way or another definitely. That equals a lot of uncertainty and corporate legal departments hate that sort of thing. GPLv2 has had some exposure in courts over the years so lawyers are more comfortable with it at this point and know how to limit and contain its infamous viral nature.
> issued a blanket ban on any single line of code licensed under GPLv3
I've also seen blanket bans on all GPL related licences in code (the dynamic in OS/app/other use differs, though way-back-when there was enough FUD/misinformation that there were blanket bans for those too) especially when GPLv2 was introduced (the "liberty or death" aspect was the cause of much consternation, I recall).
I don't think they are interpreting the license differently though for the most part. They are agreeing that is protects the user not the producer, and in giving those protects to the user it might be inconvenient for them (or even impossible for them legally, depending on licensing agreements and other restrictions they have to operate under regarding other parts of their codebase) as a producer.
> In other words, they weren't amateurs; like us.
At least some of the original impetus for the GPL was to protect amateurs like us from being used as free resource for parties that aren't. I'd say this is the system working.
> I think dual licensing as a viable business strategy is pretty much dead at this point
That is quite likely true, but only relevant in such a commercial context. If a developer doesn't care about commercial users of their code, for instance they are scratching an itch & want to share but aren't seeking worldwide adoption (and hold those "outlier opinions on freedom related topics"), then this is not a problem and GPLv3 is still a relevant option on its own.
Commercial viability is not the be all and end all of licensing decisions, if commercial gain and massive reach are not your concerns.
I dual license my software using GPLv3 and don't feel like I fall in any of your categories.
If a user wants to integrate my software into their commercial software, then they in turn pay me for their commercial use of my software.
If a user wants to integrate my software into their software to distribute it freely, then they don't pay me.
The only time a problem exists is when someone wants to integrate my software into their software for commercial purposes and doesn't want to pay me for it.
I don't see how that's the case. There are corporations that use the GPL'd version of my software without issue. They use my software internally and also extend it with custom functionality for their own business purposes and have absolutely no issue doing so. There are also corporations that use the commercial license of my software in situations where they wish to release software commercially to other parties.
I also do the same myself. Internally within my company I use Linux and MySQL, both of which are GPL'd software and I am a very happy user of both software products and never felt like I was restricted in how I can use them.
If I wish to incorporate MySQL into commercial software, then I'd need to pay Oracle for a license, but I have no need to do that.
In what way is any of this incredibly restrictive?
At any rate, I don't know that we're going to change one another's minds on this issue, all I can say is that there seems to be a fairly substantial group of users who do not feel restricted in how they use very popular GPL software such as Ad Block, Wordpress, Git, Linux, MySQL.
I use all of those and never once felt like they restricted my usage.
> Which is a different way of saying that it is not free at all You are not free to do what you want and you are certainly not free to build a business on top of the software; that requires a non free closed source license.
Most freedoms constrain others. The freedoms that the FSF care about are the freedoms of the users. Not the freedoms of the developers, and not the freedoms of the corporations that make the devices that sell to users. If you want to recognise and protect the rights of end users, you will constrain other peoples rights to exploit them in various ways.
Which is to say that I think that GPLv3 (dual) licensed software does give genuine freedoms, even if they aren't the freedoms you are most interested in.
Your freedom to create a consultancy around the GPLv3 licensed code and to charge for customisations or support are all protected too. Again, I understand that that isn't the kind of business you wanted to build on top of the software, but it's still a real freedom.
I actually think a dual license might have been better in the case of terminusDB too.
I think the truth is that money wins. It doesn't really matter that GPLv3 is stricter than 2. Corporate interests didn't like GPLv2 either. They just dealt with it to use Linux. I think the current state of things was basically inevitable. Corporations love open source because it means they can outsource labor to "the community" and use that labor to profit on their actual cash cows.
The free software fight has already lost in spirit. It's not even clear that it ever could have really survived with how complex software has become, anyway. Are any of us really able to customize MS Excel to do something new that we want anyway?
"I think the truth is that money wins.. the current state of things was basically inevitable"
If corporate money always wins, then why do we have environmental legislation, worker protection laws, 40 hour work weeks, overtime pay, anti-child labor laws, and unions?
Sure, in some places and in some cases these have been violated or aren't as strong as they could be, but you can't say they they don't exist and corporations and money always win.
Something else we need to keep in mind is that corporations are made of people, and the opinions of these people can and do change.
Plenty of things that used to be unthinkable in the past are now commonplace, and plenty of things (like slavery or segregation) that were ubiquitous and seemed inevitable to a lot of people back then came to be rejected by society at large.
I mean... I get what you're saying, but most of the things you listed as victories over corporate money happened 100 years ago. That says something about the current struggle.
Amazon had GPLv3 blacklisted when I worked there. Nothing new by way of legal concerns about GPLv3. No lawyer is going to advise a company to take actions that will likely see the company go to court to explore just how much of a license is legally enforceable, and just what it actually means.
And they also avoided GPLv2. Sure, they had bash, but all of the "coreutils" were the BSD flavors. That an exception was made for one or a couple of things doesn't exactly counter my claim very strongly.
They accepted the sister LGPLv2 license as the basis of WebKit, and had other tools like Samba integrated. They may have avoided the GPLv2 when easy, but they outright banned GPLv3 (froze bash and gcc on the last version while working to remove them; wrote their own from-scratch CIFS implementation to drop samba).
They accepted those things because they had nothing else. The forked WebKit from KHTML, which was LGPL. It's not like they chose that license. Same with Samba. It was either take those things or invent something new. Especially at that point in Apple's history, they probably didn't have the resources to NIH everything. Today, that would be a different story, I'm sure.
I understand your point about outright banning GPLv3 vs just avoiding GPLv2. But I have to wonder what would have happened in an alternate timeline where KHTML, Samba, and GCC were all GPLv3 at the point in time where this universe's Apple adopted them. Would they have just skipped making their own browser and integrating with SMB?
Sure. That's true. But follow the rabbit hole. Why do they have a BSD heritage? Why doesn't BSD use GNU software? It's anti-copyleft all the way down. Long before GPLv3.
Meanwhile, there's at least two boxes in my house running Linux that I have absolutely no access to, no chance to upgrade after the manufacturer stops supporting them - on a fast track to e-waste.
Honestly the GPLv3 really isn't that radical. It has three major changes along with a bunch of more minor cleanups and improvements:
1. Protections against patent trolls (similar to Apache-2.0, so this is a clear improvement over the GPLv2 which didn't protect users from patent trolls at all).
2. The enforcement provisions were made much less harsh (the GPLv2 immediately terminates your rights upon any violation of the GPLv2) with a curing period so that distributions could rectify honest mistakes without losing their rights.
These two are both clearly improvements over the GPLv2 (so much so that many distributions in the Linux community have explicitly promised to only enforce GPLv3-style enforcement for non-compliance of their Linux copyrights[1]).
3. The "tivoisation clause". This one is probably the most controversial change, but honestly it's actually a fairly understandable extension of this clause of the GPLv2 (s3):
> For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
In 1991, firmware keys and walled-gardens were unheard of and so I would expect that most people living in 1991 would expect the above line to mean that you should be given everything required to install a program (including if it came with a piece of hardware). You may not personally feel that this is reasonable, but given that the FSF's main goal is complete software freedom, I am surprised people can't see the above clause from their perspective. Today we know that firmware keys aren't part of "the scripts used to control compilation and installation of the executable" and so with the GPLv2 you can still get locked down devices. Hence the "tivoisation clause".
The "tivoisation clause" also in many cases makes it against the law to use GPLv3 software in some consumer products, or parts of the products.
For example much embedded software that comes under radio transmission laws, much software in safety critical applications such as rail, or automotive use, software that have environmental impact at leat in the automotive industry. At leat in the way that automotive legislator reads the laws at the moment.
> And the GPLv3 was simply far too scary for companies.
I've not got anything out there covered by GPLv3, or any GPL these days, but I remember the same arguments against GPLv3 being given for the older versions too.
Much like the answer to "if it doesn't say how much it is, it'll be too much and I move on" is "that is probably the intention, if you move on for that reason then you probably aren't the target audience" - if you are scared of GPLv3 then you probably aren't the target audience of the people using it.
(of course if you are the target audience, and they state as much, there is obviously a disconnect somewhere, in both cases)
I don't agree that the changes in GPL (AGPL, GPLv3) are the reason for the drop in use of that family of licences, rather that the rise in less restrictive open source options would have happened just as much had GPLv3 never been a thing. That is a mix of many people becoming less ideological in their licence choice overall as the F/OSS developer base increased, and an increase in commercial interest in F/OSS software that has lead to investment (dev & other time & resource, not just money) which has of course gone to less restrictive projects where such exist for obvious alignment-of-interests reasons.
why isnt the said corporation not using any open source licensed software then? why don't they either built their own proprietary software from the ground up or ask the developer to set up a parallel commercial license for their specific purpose?
Why aren't they building or buying a proprietary software solution instead? Because the open source solution is cheaper, and adds more value to them that the proprietary alternatives. The GPL means that enhancements to Linux generally get contributed back to the core. That has allowed Linux to development faster, have better hardware support, etc., compared to operating systems that have a more permissive licensing scheme, such as BSD, and it's cheaper than a purely proprietary OS where one company has to shoulder the whole cost writing all of the software from scratch.
So companies use Linux because it provides a better cost/benefit solution than the alternatives. I will argue that the GPLv2 helps this situation by allowing Linux to get back the software investment made by other companies and merge them back to the core code. So I will be the first to argue that the GPL approach has its benefits. But it also, at the same time, makes companies uncomfortable. So it's simply a matter of nuance. The more value you can provide, the more you can insist that that companies "give back" to the community.
I believe the GPLv2, as, for at least some software projects, manage to achieve a balance which works for most of the stakeholders. And I don't consider this to be "the companies are taking advantage of free work from the community", because the companies are paying developers to work on Linux, so their are part of the community, and they are also contributing back to the community. We just need to make sure that the benefit is such that it is worthwhile for companies to continue to contribute to the community. The whole point is that this is not a zero-sum game, but that by enforcing cooperation, everyone wins.
But if the GPLv3 is too scary, such that no one wants to even try out the community model, then it's a losing proposition.
Luke from TerminusDB here. As we struggled with this decision (it feels a bit like leaving behind an old friend), I found this deck very helpful - especially as it really highlights how many other great projects have struggled with similar problems:
Hi Luke, I think it would be interesting to learn about the process you'll follow (or have already followed) to ensure the relicense process is done correctly to avoid problems in the future. I mean that, you probably received improvements and patches from external contributors, and those contribution's copyrights belong to their creators so you wouldn't be able to relicense them without their express consent. This is problematic, but on the other hand by virtue of being GPL in theory a project might receive many more contributions due to the libre spirit that the license infuses to the project, so the project might have benefited to a greater degree from being (A)GPL.
One usual mechanism for this is to require a CLA on all contributions, with a copyright assignment so you become the owner of the contribution (and probably cope with a lower amount of people willing to contribute, as some consider CLAs as harmful to Open Source). But of course this had to be put in place from the beginning, which I don't know if it was.
Other solutions are to reimplement all parts of which you don't own the copyright, or to ask one by one for copyright assignment from all previous contributors. In this HN thread they talk precisely about this: https://news.ycombinator.com/item?id=24954772
In your case the relicense is to Apache 2 instead of proprietary, but I think the same set of issues apply. I think we'd learn a lot if you could tell us about your case, so there are more examples about the fine detail of relicensing Open Source projects.
Yes - as you mention I wrote about it in response to another point. Most of the external contributions to TerminusDB have been to the clients. The python community in particular has contributed extensively to that TDB client. The JS and python clients were always Apache 2 as we thought that people might want to embed.
The contributors to the server & core, which is more challenging from a getting started perspective (prolog server and Rust triple store), have had fewer active outside contributors. I was looking at these slides (17 - 22 here: https://www.slideshare.net/slidarko/mmadt-a-virtual-machinea...) earlier in the week and remarked on how few devs actually worked on most of the major DB and OSS projects. Tinkerpop is effectively written by 1.5 people! But that largely tallies with our experience. Small number of focused devs keeping a lot of the architecture in their heads while they write the code.
Those that did contribute, and we are eternally grateful to them, were happy to allow their code to be re-licensed. But I wrote to all individually and waited until they had time to think before taking any other steps. If we had been moving to a proprietary license, I think it would have been harder to get sign off, but that is pure speculation!
> If we had been moving to a proprietary license, I think it would have been harder to get sign off, but that is pure speculation!
Well good news for you then: There’s nothing stopping you making all future changes proprietary now that it’s Apache licensed. You can effectively relicense the project however you want now, attribution notwithstanding.
We did think about that, but our economic model is to focus on income for SaaS collaboration through TerminusHub. We are a distributed revision control database - so the model is a bit like git and github (only they piggy backed on an already successful open source project and we have to build both open source and hub!).
We really don't like the 'traditional' open source economic model - with a community version and all the good features in a proprietary enterprise edition. The community version is almost necessarily weak and you end up annoying your users. We'd prefer to keep as open as possible and have a commercial SaaS or open core model.
> We'd prefer to keep as open as possible and have a commercial SaaS or open core model
Isn't this opposed to this?
> We really don't like the 'traditional' open source economic model - with a community version and all the good features in a proprietary enterprise edition
This is what I thought open core was, am I wrong?
A commercial SaaS model would make a lot of sense for a project that wants to remain completely free software, though. You are the people who know your code best, and it makes sense to trust and pay you to run it reliably.
We want the database to have 100% of the features and not have to have a proprietary split between the database we offer to enterprise and to our open source community.
We want people to build stuff on our database whether they are companies or individuals and we don't want to encumber this with stumbling blocks.
We intend to do this by having a SaaS revenue model which doesn't require we hobble anything in the database in order to make money.
Pff, the have not more freedom with a GPL, unless they are developers. What freedom do you have when you use Linux but never read or change the source-code?
The freedom for the user that comes with using Linux as a result of it being GPL-licensed is that entities have to contribute any changes they make to the kernel back to the community if they intend to distribute their modified, potentially improved kernel. This results in a better end-result as the kernel can integrate changes that others wrote if they provide a better experience in some way.
Really? And whats with all the proprietary blobs? The Modules (like nvidia), for the end-user it changes absolutely nothing, having bad firmware your wifi will not work, the license is absolutely not important for the end-user. Nearly no one cares that most Androids have stoneage Linux kernels, whats important for them is that the Android-Runtime (aka Play-store) can download and execute "Apps".
>potentially improved kernel
Or potentially worsened kernel, which now sits in you closed down IoT device, again the license is NOT important for the normal end-user.
It is wrong that the license is absolutely not important for the end-user. Most users might not directly care about the license of the software they use, especially between free software licenses, but they might care about the consequences even if they are not aware of the causal relation.
You might not know anything about how the engine works in your car but it is still important that it is made correctly. The whole Free Software movement targets end users and works on the assumption that these questions are important for them.
Licenses might look like non significant technical details to most end users, but they are not, and many people not in the field are able to understand the subtleties. We should consider people's ignorance inevitable. This is not a fact we can't do anything about. Software is omnipresent in our societies and as massive effects on them. They have the right to know, should care, and actually often do if you don't push them. I know, I tried.
> all the proprietary blobs
Which ones? Nvidia seems to the exception here, and only concerns Nvidia's hardware anyway. If you think of Android drivers, they are in user space libraries (Had the Linux kernel been in a non-copyleft license, they would probably live in kernel space and working out the shitty situation of Android with the kernel would be far more difficult.
Thanks to the Linux kernel being under GPL, Android vendors and manufacturers are forced to release their kernel sources, which allows projects like Lineage OS and other Android derivatives to exist.
> or potentially worsened kernel
I can't imagine why kernel developers would accept a patch that knowingly worsens the kernel upstream.
The GPL forces shitty hardware makers to release their shitty code but nobody is forced to merge it upstream.
bad closed firmware are unfortunate but I don't know what it has to do with Linux being under the GPL.
> Really? And whats with all the proprietary blobs? The Modules (like nvidia), for the end-user it changes absolutely nothing, having bad firmware your wifi will not work, the license is absolutely not important for the end-user.
I think the sibling comment covered most of this well, but I just wanted to add that relying on closed-source drivers is far from necessary with many setups of modern day Linux. All of the drivers on my computer, save for the processor microcode, are open source and for the most part, bug free. In fact, they are probably mostly bug free because they have so many eyes on them.
> Nearly no one cares that most Androids have stoneage Linux kernels, whats important for them is that the Android-Runtime (aka Play-store) can download and execute "Apps".
While many users might not know this is the reason, I think the copyleft license of Linux has let it become where it is currently, as it forces vendors who might otherwise release proprietary blobs addressing issues must instead release the changes with a license such that it can be improved upstream. This pushes companies who spend the energy to fix the bugs in an otherwise good kernel to give those changes back to the community, similar to how the companies took from the community in order to use the kernel.
> > potentially improved kernel
> Or potentially worsened kernel, which now sits in you closed down IoT device, again the license is NOT important for the normal end-user.
Well I think this is a great argument in favor of GPLv3 over GPLv2, which bans this (see [1]). This is another reason why end users could care about the license used in the code. GPLv3 code guarantees the end user the freedom to modify the code and run it on their device (or apply other people's modifications). Though I will concede that this is less of an end-user-centric idea because it requires a decent level of technical competency.
If I get something from this post and the "Are we still open source?" slides linked in the sibling comment [0], is that Open Source is a dangerous route for software that wants or expects to eventually be commercialized. I've read countless threads on HN and that seems to always be the final lesson. There are lower risk but less "idealistic" licenses such as Apache, and higher risk but also ideal licenses such as GPL.
Especially relevant to GPL, it ends up being counterproductive, as the license is a hardcore protection of the users' rights, at the expense of the project owner's rights. See the debate caused by Octotree [1], [2].
It's a pity because the way I see it, GPL is the ideal way to go. But if you need to pay the bills with software you write, it is also one of the worst open source choices out there.
(A)GPL is then relegated to either 100% vocational non-commercial code that one writes as a side project, or to big entities that for some reason write GPL code that is not part of their main business.
GPL is only becoming irrelevant because nobody has the guts to use it.
Congratulations to all the teams getting co-opted by Amazon and becoming just another Docker Enterprise.
Everyone should go GPL. The time to do it was yesterday. The next best time is now.
Make money with licenses so you can actually have a business. Unless you just like funding billion dollar companies for free. (They don't even have to contribute code back!)
Open source without fangs is free, stolen labor that gets turned against us.
GPL software can be monetized and locked away behind cloud services. If it's never actually distributed to users, then those users don't have rights to the source code under the terms of the GPL.
While adding the problem that the AGPL is worded so poorly that no one knows where its virality stops (or even if copyright possibly can be bent so far enough that that virality is enforceable) and everyone is rightfully afraid of it until such time a court of law actually manages to make heads or tails of it and set a precedent. No company I'm aware of wants to be the guinea pig subject to those court costs, much less trying to explain to a judge technical implications of the license. (That includes companies using the AGPL; I've yet to hear of a compny willing to stake their companies on answering that second question of whether or not the virality of the license is legally enforceable in the confines of current understandings of copyright law.)
It's hard for me to dismiss what is the closest to a "Mutually Assured Destruction Pact" in software licenses as merely "FUD".
Absolutely the commercial license business model is driven by that threat of "nuclear" retaliation. But that doesn't necessarily make that business model correct. (In some ways it seems rather skeevy, negotiating with someone that has an untested "nuclear device" and is threatening to use it.)
Also, just because it is untested doesn't make it any less of a nuclear device. Einstein and Bohr and a few other mathematicians had a very good idea of what a nuclear bomb could do before one was ever built or tested. We can make, based on the (poor) wording of the AGPL, some pretty good assumptions about how badly it could be used in a court of law should someone actually try to call in their threatened strike. (Everyone is too afraid to let that happen, but should it happen, it may be devastating, and worse no one knows in which direction: if the AGPL will prove to be so virulent as to be toxic or if the AGPL will open questions about enforce-ability of copyleft clauses in what are ostensibly presented as copyright licenses that risk even the GPLv2 falling to a dangerous counter-precedent. Either way, a source for great damage to the software industry should the AGPL ever go to court.)
Depends whether you value money more than code contributions.
I don’t think it would hurt to have AWS release some of their software, like the Nitro hypervisor. The world would probably benefit from that more than any license they’d have to pay.
I haven't looked at the AGPL in a long time; it is more viral than the normal GPL? My recollection was that the key difference is that "distribution" that triggers the requirement to share changes is expanded to include running it in a SaaS environment, but that's not really the part of the GPL that's "viral." Is there another difference, or what?
This gets into the long history of the GPL versus the LGPL and lots of legal battles in the text of those licenses and in the interpretation of the text in those licenses about the differences between types of "distribution" ("mere aggregation" versus "linking" versus "bundling" versus "inclusion"). In all but the "mere aggregation" case, the GPL is considered to be viral, and the LGPL relaxes that in some more "linking"/"bundling" scenarios.
The AGPL to do its work has to close the "mere aggregation" "hole" in at least some cases, which alone makes it "more viral" on the spectrum of GPL licenses. That's before you get into problems with how the APGL defines "some cases", in that it doesn't do a great job so no one knows exactly how viral it is because it will take court cases to sort out its bad wording on the subject.
(For instances: 1) The AGPL is intended to expand to include "running it in a SaaS environment" yet the way it (doesn't) define "SaaS environment" is so poor it could mean running it anywhere. 2) The AGPL was written by a PHP company and so a lot of the definitions, distinctions, and clauses from the GPL regarding the differences between binary and source distributions were struck out. Because most of the known legal definitions on "mere aggregation" with regards to the GPL hinge on those distinctions we have fewer and fewer ideas of what "mere aggregation" means with respect to the AGPL, and it again possibly implies that the AGPL's virality is potentially unbounded, that their "some cases" is intentionally or accidentally written as "all cases".)
Most of the complaints about AWS are not about license compliance and source code release, but about money and competition.
AGPL doesn't solve the AWS problem, which is that Amazon will take the project your open source company wrote and soak up all the money to be had offering that project as a service and they will do a better job of it, while still complying with the license.
A related problem is that Amazon have enough engineers they can just look at your proprietary or source available project and just clone your programming interfaces on top of a new project (and if you are unlucky, open source that, killing your market entirely).
This kind of comment does little to advance the discussion. All you're doing is steamrollering over legitimate opinions with an ad hominem attack.
For example, while I don't mind the GPL, I prefer to use more permissive licenses for my own code, because that's what's more in line with my personal ethics. I'm just not a "strings attached" kind of person. There is a courage criticism to make of how I do things, but it works in the opposite of the direction you're trying to take things: I sometimes wish I had the guts to follow SQLite's lead on software licensing.
> All you're doing is steamrollering over legitimate opinions with an ad hominem attack.
Where?
> This kind of comment does little to advance the discussion.
What are you talking about? Wider GPL adoption is central to the discussion!
Companies are taking permissively licensed work, making billions, not contributing back, and building massive platforms we'll all be forced to build upon.
AWS and the like are a step forward in terms of not needing to image and upgrade machines, but it's ten steps back in terms of computing freedom.
The future of computing is closed and they're using open source to corral us in.
> Wider GPL adoption is central to the discussion!
Sure. And so the question is, did the GPLv3 improve or degrade adoption of copyleft licensing?
To quote from Star Wars, "The more you tighten your grip, Tarkin, the more star systems will slip through your fingers."
Like it or not, companies fund the vast majority of open source software development, not hobbists, and when the FSF tried to "tighten its grip" by making a license which moved the balance of benefits more towards free software users, and away from the companies which funded the work, things didn't go well for them. And so what the FSF has found is that the the goals of the free software manifesto has been, more and more, slipping through its fingers.
Unless you can make non-free software illegal across all countries, at the end of the day, you need to find a balance where all stakeholders are comfortable with the result so that users, developers, and company freely and happily choose to use free software. This is a negotiation, and if there is more value that can be gained by signing onto the free software ecosystem, then perhaps the balance can be shifted a bit more towards the free software goals. But until you can, given that most open source developers do like food with their meals, a successful open source strategist has to be grounded in the economic and business realities. Just raising your right hand in a fist and shouting, "power to the people" and "freedom" is generally not going to get you very far.
I don't think your reference shows that. The GPLv3 was released in 2007. It obviously depends a lot on the language, since each language tends to have its own ecosystem, but the massive shift to permissive licenses really didn't start until 2008-2010, which is after the GPLv3 was promulgated. C didn't tip over to being majority permissive until 2011. So I'd argue that the analysis in the graph tends to support my contention that the GPLv3 hurt rather than helped the copyleft cause.
Post 2005 is when cloud computing & the web as an app platform began to gain traction, and a lot of open source software from ‘big tech’ is either cloud or web related.
The adoption of more permissive licenses is just because the big players favour those licences.
>For example, while I don't mind the GPL, I prefer to use more permissive licenses for my own code
This argument does little to advance the discussion either.
Some projects take a weekend to build. Others are the result of years of blood, sweat and tears.
The latter is probably where you're going to want to have a little more control over how the fruits of your labor are used and maybe get yourself paid a bit more than $0.
Not so much an attack, but my reaction was something like the post you respond to: "GPL3 doesn't work because people are abandoning GPL 3" seems like a self-reinforcing prophecy.
I am OK with people using whatever license they want for software they write. But if you think GPL 3 is ideal, by using something else you are just killing your ideal.
To me, it's not a self-fulfilling prophecy so much as a hard lesson in pragmatism. Some people care very deeply about Free-as-in-FSF. Others like the idea in vague terms, but don't assign much moral weight to it. I suspect that there's a tendency for the former group to project their feelings upon members of the latter. And that that, in turn, leads to some bewilderment when someone makes a blithely practical choice such as, "Among this range of licenses, all of which are perfectly acceptable to me, I'm going to just pick the one that I think will result in more people using the thing I made," or, "I'm going to just pick the one that's easiest for me to understand."
If you don't like "strings attached" then it certainly makes no sense to use a so-called "permissive" license, as the core--in fact, only--permission that such licenses offer over the various copyleft licenses is the permission to take all the other permissions away from downstream users... the people we should all be fighting for! "The only string attached to usage of this software is that you are not allowed to attach additional strings to this software."
I just can't bring myself to see it that way. If someone incorporates code I've open sourced into a commercial product, that takes nothing away from me or anyone else. The only permission I ever gave was for others to use some code I wrote for their own purposes. That doesn't change if someone incorporates it into a closed source product. It's not like someone else choosing not to open source their additions causes the original software license on the original code to disappear in a puff of smoke.
Why? These users overall aren't even willing to pay token money to support the creator so why should the creator care about them more than their own goals and desires?
Or is it perhaps because users don't want to use it unless they have no choice (in terms of software alternatives released under other OSS licenses)?
20 years ago GPL was the only thing most users new to OSS knew about. Since then they have learned there are better choices Meanwhile GPLv3 was the final nail in the coffin of the bossy OSS licenses.
One thing I don't get is why the OP proclaims love for GPLv3. It's the worst GPL license out there. I avoid it as both a contributor and user.
Corporate fangs win at the end. It is social pressure for monopoly autocracy and corporate practices. You should have had the freedom to choose whatever license you had in mind without being harassed by company employees or people who misunderstand how to use a GPL licensed product. Dual licensing would be better than giving up the reasons why you chose GPLv3.
Corporations can use GPLv3 in their codebases, they r just not bothered following the lawyer approvals so that code is shared back. If you cared about that, perhaps a better option is dual licensing.
I hope that the project does not become...yet another free labour camp by developers for big tech money bags.
Note the position of the hardest GPL defenders in this Github thread was that:
a) You need to have absolute 100% of the code ownership/copyright in order to change the project license. This is not true and there have been precedents where a valid and successful relicense was done with much less (if I remember correctly I learnt this from a comment somewhere hidden in that same Github issue)
b) The other project contributors would not necessarily agree with the relicense. Which was not the case: the most prominent contributors showed up and explicitly gave the author ownership (or free license) over their small parts of the code.
In our experience, all of the contributors were happy to give permission to re-license the code. They generally believed in the project (that's why they contributed) and wanted TerminusDB to be as successful as possible - if the core team felt that was going to happen by moving to Apache, they weren't going to stand in the way.
I suppose you could have somebody quite ideologically attached to the GNU/GPL who could then hold up a change. If the code was core and you couldn't easily re-implement, could make the price high.
We had the same experience with the Linux kernel. The original license was even more hard-line that the GPL --- it ruled out any way of making money, even selling CD-ROMs with Linux on it. Linus had to consult with all of the contributors to relax the restrictions to GPLv2, and we all agreed that it was in the best interests of the community. So there was no problems in terms of getting consent from all of the developers to make that license change to something more permissive than the original license.
At the time, the failure modes of the more permissive licensing model (for example, of NetApp's innovations for things like WAFL were never contributed back to BSD) were more foremost in our mind, and so for us the GPLv2 was the right compromise between the rights of the community and the companies using, and improving, the code. Of course, the decision that we made in 1992 was in a world very different from 2020, and so hopefully the choice of the Apache license will be the best one for TerminusDB. I have only the best wishes for you and your community!
From a business's perspective, there are can absolutely be legitimate concerns to taking certain kinds of dependencies on GPL software. But the ones that seem most legitimate to me concern core library dependencies. I have a really hard time seeing how one would be comfortable, as so many businesses are, with building their entire tech stack on top of OpenJDK, but then balk at a database server that isn't even running in the same process space as the rest of your code.
Is there any legal grounding there, or is it just that we're all comfortable with Java, whereas a new database is a new thing, and we're naturally more fearful about new things?
AFAIK the classpath exception is intended to make the ecosystem work in a similar way to how GPL system libraries interface with non-GPL C code. Please correct me if I'm wrong.
Well, presumably you mean LGPL system libraries like glibc etc., but yes, I understand that is roughly the idea.
I think they came up with GPL + classpath exception instead of adopting LGPL because LGPL has all this language about static vs. dynamic linking etc. that is rooted in the C world and not how Java does things.
My company's legal team is fine with GPL + classpath exception, but skittish about LGPL. It had never really occurred to me that that might be the reason why. Perhaps the problem is that the LGPL's C-centric language means that trying to use it as a general-purpose library for any platform, including ones that don't work like C, puts it in murkier legal waters.
So sad seeing so much FUD about gplv3. I've spent years gpl-ing my daily desktop and server stacks, and comments about why $BEHEMOTH don't use it just reinforce to me its the right move.
I just wish more devs had the courage to just stop capitulating to fear of a few different types.
That said, Apache 2.0 is one of the licenses I usually consider as acceptable (as opposed to mit and bsd).
> I've spent years gpl-ing my daily desktop and server stacks, and comments about why $BEHEMOTH don't use it just reinforce to me its the right move.
This. I've heard that licensing my code under the AGPLv3 will prevent its widespread use by industry, and my answer to that is, good! I licensed the code under the AGPLv3 because I intend for it to be used under the terms of the AGPLv3. If that puts companies off because they want to use it for free, but don't want to use it under those terms, then my licensing requirements are working as intended.
If you want to pay me, that's a different story, and I leave the door open for commercial licensing.
I think it's just a general trend that those who don't like bsd/mit but don't go gpl for whatever reason tend to use apache 2.0 as the other commenters mention.
I found this website on stackexchange that is good for comparing: https://tldrlegal.com/
> I just wish more devs had the courage to just stop capitulating to fear of a few different types.
It's not fear: it's Apache-/MIT-/BSD-license-as-marketing. It' no longer enough to have a project that solves a specific problem - you now have to build "mindshare" and a "community" and have the metrics to show VC's so they can fund your growth, and corporate acceptability is key here. The playbook of a successful open source project is:
1. Use the most liberal license you can think & grow a community
2. Become popular, gain traction in enterprise market & get millions in funding
3. AWS forks your project, tells customers they can scale it better than you
4. Investors call you and demand you do something - competing with Amazon wrecks all their projections on your future revenue. You add anti-cloud-hosting clauses to your license - building a community is no longer a concern the way Amazon is.
TerminusDB were on step 0 (no thanks to the GPL), now they are on step 1.
The central message that they are caving in to some nebulous group of potentially cash-rich projects because those devs whine about GPLv3 is understandable if not exactly admirable. I mean, who does not read the following and think "you could make that 4 out of the top 20"?
Maybe if MySQL, its offshoot MariaDB, and our graph brothers Neo4j weren’t the only GPL flag flyers in the top 20 databases, it might be easier to gain adoption with GPL
That compounded with the following trite slogan actually detracts from what should have just been a simple announcement instead of extended squirming:
code freedom is being overtaken by developer freedom
Granted IANAL, can someone explain how the AGPL prevents aaS providing of _unmodified_ AGPL-licensed software?
Reading the license text[0], the prominent section related to remote network interaction very clearly notes "if you modify the Program", and the terms and conditions lay out that "Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying".
When people discuss not being able to offer AGPL-licensed programs as a service, are they exclusively talking about modifications?
Another point is the requirement to only provide source to your users, who might be bound by something else, like an EULA that prohibits them from using the AGPL software you give to them to run a competing service, for example.
I guess until this stuff gets tested in a court of law, everyone is reacting to the threat of litigation more than actual litigation but it feels like the threat to companies is overblown, except if they try to improve the software and not contribute back.
I had always assumed (without really verifying it) the reason for this was because for a large company that would be capable and interested in re-selling these services, they would NEED to make some changes to integrate it with their rest of their systems. And those changes would be very sensitive and specific to their own infrastructure and system.
At least in my limited experience with extremely large companies (which are the companies that would be capable/interested in reselling these services) they rarely run open source software exactly as is, even for their internal usage. They usually patch it themselves or contract out patches either to fit within their systems, or for specific features the want/need.
Ahh OK, then this is really more against large enterprises and less for lean/smaller aaS companies. Seems like there's some leverage here to be taken advantage of.
For example, MongoDB used to be AGPL and there where some companies dedicated to provide hosted services for it. Specifically MongoHQ (later renamed to Compose) and MongoLabs (later renamed to mLabs). I believe neither of these companies had any specific contract with MongoDB, nor where they breaching the AGPL in any way.
However, MongoDB eventually changed it's license in a way that explicitly made it impossible for these services to continue to exist without making their entire stack open source, or getting a separate license agreement with them. In this particular example, the impact may have been minor for these two companies, as Compose got acquired by IBM before this, and mLabs got acquired by MongoDB themselves. But any other product that effectively ran hosted MongoDB for you would need to get a license from MongoDB. It is speculated (fairly) that these changes were made so that MongoDB could get a greater market share with their own hosted that they sell, and to block out much bigger cloud providers from finding ways to wrap their services in non license breaking ways, but still not providing much more extra value add other than hosted Mongo.
I first came across the dilemma of choosing an open source license when I wanted to create and distribute an Opera (pre-blink / chromium version) browser extension through their add-on online platform. Opera was promoting the Apache license to everyone, as a default, and urged me too to chose that when I submitted by extension. After some research online, I figured it was because an Apache license made it easier for them to re-use and integrate the code with any of their proprietary (or otherwise) product and permission for such use was implicit in the license. GPL v3 was more restrictive due to its viral nature.
I ultimately chose the GPL v3 license, so that if anyone wanted to use my code commercially in a proprietary product, they would have to consult with me to work out a suitable arrangement (like dual licensing and granting them the right to use the code with a more permissive license - this would be easy in this case, as I was the sole developer with all rights). This was not done with any monetary consideration in mind but as a young developer I just wanted to be made aware when someone wanted to use my code commercially, to mention the same in my resume.
The second reason was that GPL v3 better protects the ideal of open source that I subscribe to - the USER should have access to the source code and be able to modify and use it for their own purposes. Other more permissive open source license don't protect this right.
This is where AGPL comes in too.
With "cloud computing" and "software as a service" becoming popular, many tech corporates that had avoided GPL softwares, now started using the software on servers and offering it as an online hosted service. GPL requires you to share the source code, along with any modifications, when someone asks for it, when you distribute a software using GPL code. But with online hosted services, corporates claimed that since they weren't distributing the software and the user was not running it on his computer, they didn't need to share the source code or any modification made to it with anyone.
AGPL was created to prevent this and further protect the USERS right, as it forced anyone who chose to use AGPL software and offer it as a service, to share their source code.
I still believe GPL / AGPL is the BEST open-source license. All developers are also USERS of their application. Thus, GPL's focus to protect the USERS right at all cost, works to protect your rights as a developer too as your source code, in any form, will always be open and available.
For commercial open source projects, dual license (partially or fully closed + GPL) is the way to go. MySQL / MariaDB is a good example.
I'm also wondering if it's even worth bothering with this at all and whether companies should just open source the orchestration software/shim layer. Open sourcing the shim/adapter you use to orchestrate running the unmodified software doesn't even seem to be an issue, because usually what's stopping competitors is not simply development difficulty. Then the question becomes how far past the orchestration does the virality go -- I think it's pretty hard to make a case that your customer frontend (which is where the money gets made) that calls out to the orchestration software (maybe it doesn't even, maybe it just puts a message on a queue) is now a work derived from the Program.
Here's a more concrete example. If I want to run a hosted mongo service, I can take mongodb's own k8s operator[0] and build using that. For this to be damaging to the business, the virality of AGPL would have to extend all the way to whatever software I use to check out customers, but even that seems like it would be fine if that software was open source too (imagine some self-hostable saas project that takes your stripe key as an ENV variable).
Here's another thing worth considering -- who is going to sue companies that violate? Some random group of developers? The EFF/FSF + a developer? when are they going to sue you? By the time that you're a giant company off of the software, even if a competitor got the complete source code to one, two or all services that run on your platform, could they really replicate it? Wouldn't they still have to get that source from a customer (user) that requested the source?
It seems that if you really want to stop this from happening, something like the Business Source License[1] (or some equivalent license) or bust.
Aside from all this, it really feels like AGPL is the best license for all software -- it really hits the "don't use this if you will improve it but not contribute back" intention perfectly -- if you make your derived work public (such that your modified version becomes the unmodified version) it seems like there are little to no issues running a business on it.
They want to have the option to, when they see a market opportunity, slap a logo and one tiny feature on top, and a price tag!
If there was a single, one, any tiny reason to not use GPL, nobody would be using linux.
Not using GPLv3 is sabotaging open source. People who stand with corporations and dislike GPLv3, are the same people that stood with microsoft in the 90s and disliked GPLv2. There's no way to please that people. Let them go. You do not need them.
I am mostly a commercial software user, but I owe the GPL the possibility of having had access to UNIX at home.
As such everything I do outside work, is dual licensed, don't want to pay me? GPL
Want to earn money with my work? Lets talk about a commercial license that makes sense to both parties.
I was there in the shareware/public domain days, and this is where everything is going back to with these decisions of moving away from the GPL.
The major uptake of BSD UNIX clones across the industry shows how it would have worked out without Linux and GNU being GPL, basically HP-UX, Solaris, Aix, Irix would still dominate the server room.
Everyone who tries to predict alternative universes will get it wrong.
You say that because there was BSD, apple could have OSX and not license Solaris or what not.
I say that without BSD licenses, Apple would have OSX with proper open source and up to date releases. Heck they did that with the kernel and most of the distro for a while.
Maybe unmodified AGPL software can be run as a network service without providing the source code because the source code is already available from the original author.
Yup that's precisely my point -- if this is the case then where is the protection from aaS that everyone seems to think is there? All the provider has to do is just... not modify the software, or only make modifications that don't expose their proprietary orchestration systems and benefit everyone else in the process (but they really benefit the most, because they're making money off of the software).
If you get more nefarious with it, what if they started building tooling around it -- like a proxy that rewrote requests to fix a bug, or a file system that sat underneath the program that solved some issue with IO?
I also think that the majority of value delivered by something like RDS is not actually proprietary changes, it's just the underlying software being kinda good (because it was developed in the open, and the F/OSS community was leveraged as bug finders and fixers) -- I'm thinking mostly of Postgres. Even things like HA and scalability are often considered in projects these days, so you wouldn't even need to add much to check off the usual enterprise-y boxes.
They seem to really believe the GPL better reflects their views, but feel coerced by corporations and by what they see as widespread misconceptions into dishing it.
They cite the GNU manifesto, they even seem to encourage a GPL fork, almost as if they wanted this to happen.
> We would welcome a GPL fork of the TerminusDB code – we are happy to work with any such project should it emerge.
If you have ideals and it saddens you that someone seems forced to compromise theirs: stay strong! Your ideals are important, fight for them. You may have to make compromises but do not let it hinder them.
Mozilla Public License v2 doesn't get enough love.
It's copyleft, but not viral like the GPL is. It is GPL compatible but can also link to (and be linked by) proprietary code. It is file-based, so the rule is that if you modify one of the original project files, it has to be provided under MPLv2 - but extensions to the original library in separate files are permissible.
It also provides a lot of the same protections that Apache 2.0 provides in comparison to MIT/BSD licenses.
Indeed I need to check the MPL more closely. My reservations with the GPL were never about sharing modifications of the code I received under the GPL, but for the restrictions it applies to the rest of the product. Those are often incompatible.
> I’m sure our perspective will shift over time, but from where we’re standing, having a cloud provider launch a competing service would be a sign of enormous success. (And this is not to say that the cloud providers’ parasitic approach to OSS projects is not a genuine problem, it simply acknowledges that you have to be a widely used OSS project before it becomes* a problem).*
Interesting. This seems to be the licensing equivalent of "Piracy is Progressive Taxation", which is an angle on software licensing I hadn't considered before (and it should have, since these are copyright licenses, and similar popularity-based dynamics regarding violation of norms ought not to be surprising):
> The substantive points of practical difference are far less important
IMO the substantive points of practical difference are vastly important: the obligations of GPLv3 vs Apache 2.0 are not the same...
The whole document is a side-discussion never addressing the changes in obligations. It's about the supposed predominance of license-signaling over what is actually written and wanted by licenses. It even randomly talks about AGPL at one point, without any specific reason for doing that, except somehow qualifying it as a "pariah" license, maybe in an attempt to associate the GPL a little with that derogative qualification.
This reads as if they do not actually give a fuck about the actual effects of the various license but only about second order effects caused by some mainly folklore signaling. The first sentence of "Why Shift Licenses" could even be taken directly as an argument for not doing it. I find the whole thing extremely sad.
The substantive points have little bearing on perceptions held by those that are key to the survival of a small startup and that can't realistically be changed by a small startup.
One could of course feel that the difference in obligations are more important, but those who believe this are also free to fork the project and demonstrate just how easy survival would be trying to ignore the consequences of the perceptions.
It's clearly possible for some GPL projects to keep forging ahead despite the difficulties, but survival rates paint a picture that isn't so kind.
Unless existing outside contributors agreed to relicense, then all of their existing work is still GPLv3, as I don't see any CLA or copyright assignment as a prerequisite for contribute. That or they have had to remove those contributions.
I didn't see that mentioned in the announcement, so TBD.
Yes! I didn't mention, but I contacted all contributors directly over the last month or so and asked for permission to re-license their code. We only went ahead with the change when everybody had signed off on the shift. In fact, all the contributors were postively disposed to the shift (with a few even suggesting that we go 'server side' immediatly to stop the AWS threat!)
It's worth noticing some subtly in this. Those companies tend to be OK with the GPLv2 but not the GPLv3. A question to ask and that'll help understand all of this is... why do big corp lawyers not like GPLv3 when they were fine with GPLv2?
It's not an issue of copyleft.
Note, IANAL. I've just talked with several about licenses.
As shown in the article with the excerpt from Google's policy, I think you'll find the FAANG-type policies are all similar... any GPL* requires specific approval from legal, whereas the common liberal licenses have simplified approval.
The GPL2 linux kernel may be treated as an exception and allowed, but it doesn't mean GPL2 anything else won't be treated like leprosy.
IDK about all the FAANGs, but at least when I worked at Microsoft this wasn't true: GPLv2 had the same auto-approve policy as MIT/BSD licenses, whereas GPLv3 was forbidden without specific dispensation from legal.
One word: patents. GPLv3 has wording which suggests that you need to give up rights to patents when you contribute. If you're a large company, with a large patent portfolio, this becomes an expensive endeavor. Either you give up patents (which might have value), or you do an exhaustive search to verify that no patents are being infringed.
Apache 2.0 has similar patent language as GPLv3, and is the current bigcorp favourite open source license, so I'm not sure that's correct. Or am I missing something?
This is true, however I think that the perceived "viral" nature of the GPL gives the impression that patent invalidation can easily spread around to proprietary projects as well.
IANAL, but the GPL2 allows bundling and "tivoization" [0] with proprietary code, whereas the GPLv3 tries to prevent it. So, with v2, you can ship your proprietary application with an unmodified GPL'd tool along with it, but with v3 you can't. For v2, the copyleft applies to modifications of the tool, for v3 the fear is that the copyleft applies to all the software that touches the tool.
Couldn't you just GPLv3 the code and sell big companies a private more permissive license for a big amount of money if they come knocking? Seems win/win to me, am I missing something?
You can and this is indeed a good business model. This is what QT used in the earler times. The one thing you are limiting though, is to get patches from the users community. They would have to explicitly grant you the license to use them in a non-gpl way. So if you want a lot of development happen outside your own, this is a big challenge.
A year ago I opened a box that my receiver (for my home theater) came in. It had the GPL printed in booklet form.
If I didn't know what the GPL was, I'd assume that one of the employees in the factor was a religious nut job and slipped the pamphlet it.
The problem with the GPL is that it's not a license. It's a political manifesto. This is why there's the "Simple Public License (SimPL) 2.0," https://opensource.org/licenses/Simple-2.0. It's a license that's supposed to be the same as the GPL, but has no manifesto associated with it.
It's a political manifesto, because policy-making (de facto, de jure, by private entities, or by governments) is the whole point of politics. If you disagree with another entity's decisions (policies), you can and should oppose.
Politics is everywhere. The GPL licenses just choose to be explicitely political. After all, any other restrictive license that forbids users to change the product they buy is making a poli1tical statement too, even if it doesn't say so in its preamble.
No, the license proper is nothing like a political manifesto.
The introductory paragraph (preamble) is, and personally I would indeed strip it from the COPYING or LICENSE.txt file and just start at "0. This License applies" whenever using the GPL2.
>Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
From wiki though:
>According to the GPL FAQ, anyone can make a new license using a modified version of the GPL as long as they use a different name for the license, do not mention "GNU", and remove the preamble, though the preamble can be used in a modified license if permission to use it is obtained from the Free Software Foundation (FSF).[60]
It's clear that the Apache license is more friendly toward corporate concerns. But companies were willing to deal with GPLv2, because there were sufficiently large projects (such as the Linux kernel) that added enough value that it overcame their fears over how the GPLv2 restricted how they could monetize their software engineering investments.
Unfortunately, the GPLv3 and even more so, the AGPLv3, was simply a step too far; put simply, in my opinion, the FSF overplayed their hand. Whether a more scaled back GPLv3, or simply sticking with GPLv2, with all of its admitted ambiguities and admitted legal short-comings, would have made enough of a difference at the end of the day is impossible to know. But I think copyleft as a viable open source licensing regime, and the GPL in particular, would have had a much better chance of success if GPLv3 never happened.